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•  Form  situational  awareness  for  the  SEI,  its 
sponsors,  and  the  Internet  community 

-  Big  picture  view  of  threats 

•  Constraints 

-  Situational  awareness  can  only  be  formed  with 
data  from  many  organizations  -  all  data  is 
governed  by  the  constraints  of  its  owners 

-  Must  provide  a  reasonable  value-proposition  for 
data  sharing 

-  Strict  hierarchies  in  data  sharing  will  not  scale 

-  Solutions  must  be  built  with  open  and  transparent 
architectures 
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Focus  on  merging  and  analyzing  data  from  multiple  view  points 


•  Distinguish  between  targeted,  localized,  and 
Internet-wide  activity 

-  Widely  targeted  services 

-  Clusters  of  attacks 

-  Passive  detection  of  new  tools 

-  Attack  techniques  de-jour 

-  Attack  sources 

•  Historical  trending 

-  Enable  forward  estimation  of  expected  intruder  activity  of  a 
site 
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•  Generating  “Top  10” 
lists  and  volumetric 
measures  based  on 

-Packet/Flow  features:  IP 
addresses,  ports, 
protocols,  signature,  etc. 


Dec 


- Context :  timing, 
vulnerability,  country, 
net-blocks,  etc. 


t - 1 - 1 - r 


^  rtf' 
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□  Cenia  of  Service 

■  Unclassified 

□  Suspicious 
Activity 

□  Privilege 
Escalation 

■  Policy  Violation 

□  Reconnaissance 


Share  Source  IP  addresses 
Targeting  multiple 
organization 
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•  http : / / aircert . sourcef orge . net 


•  Gather  data  from  existing  security  solutions 
already  deployed 

-  Partner  with  security  operations  in  the  federal 
civilian  community  and  in  academia 

•  Write  “glue”  to  integrate,  convert,  analyze, 
and  share  the  data  across  organizations 

•  Provide  analytical  results  back  to  participants 
and  sponsors 
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Synthesized  Data 

•  Categorization 

-  SIM/SEMs  (e.g.,  ArcSight) 

-  IDS  (e.g.,  Snort) 

•  Discovery 

-  Flow  data  (e.g.,  argus) 

•  Refinement 

-  Network  topology  information 

-  IT/data  data  sharing  policies 

•  Context 

-  Vulnerability  (e.g.,  CERT/CC  KB) 

-  Artifacts  (e.g.,  CERT/CC  AC) 
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Collection  Infrastructure 


CERT 
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•  Provides  infrastructure  to  automatically 
extract  relevant  information  from  existing 
instrumentation 

-  If  human  intervention  is  required,  sharing  is  too 
expensive 

•  Wrote  “normalizers”  to  handle  the 
reformatting  and  semantic  transformation  of 
the  data 

-  Too  many  vendor  to  write  one-off  tools  for  each 

-  Write  transformation  engine  that  understands  the 
underlying  data-store:  text  files,  RDBMS,  etc. 
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Sharing  Infrastructure:  Collection 
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•  The  key  to  facilitating  data  sharing  across 
organizations  is 

-  Making  it  seamless  -  no  human  interaction 

-  Ensuring  policy  compliance 

•  All  “normalizers”,  “publishers”,  and  the 
underlying  storage  architecture  have  a  notion 
that  all  data  has  an  owner 

-  Dissemination  respects  site’s  local  policy 

-  Sanitization  of  sensitive  data 

-  Tagging  of  all  data  with  a  source  identifier 
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Sharing  Infrastructure:  Dissemination 


•  Sharing  data  with  us,  is  no  different  than  data 
with  others 

•  Tailor  channel  for  the  audience 

-  Web-portal  for  pre-digested  snapshot 

-  Export  bulk-data  in  a  machine-readable  format 
(e.g.,  XML,  RSS) 
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Architecture 
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AirCERT  Sensors 
(DAC,  CERT-friends/family, 
Standards-compliant  sites) 


Rex/tabula  dredge 
(transmission 
engine) 

Normalization 
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Big  Picture  Architecture 


Data  Sharing 
Organization 


o 


Policy  Domain 


State  of  the  Art 
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•  Many  different  formats  used  by  the  SEM  and 
IDS  products 

-  Support  standards  efforts:  IDMEF,  IODEF,  IPFIX,  PSAMP 

-  Storage-specific  normalization  tools 

•  Normalizing  signatures  across  IDS  products 

-  Using  CVE  and  custom  classification  taxonomies 

•  Analyzing  the  correct  signature  set 

-  Use  only  explicit  malicious  activity 

-  Filtering  out  policy  violations  and  poorly  written  signatures 

-  Use  the  correct  tool  for  the  task 

-  Deploy  non-IDS  sensors  next  to  the  IDS 

•  Data  loops 

-  “Checksums”  in  the  meta-data  of  the  data  stream 
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Challenges  and  Solutions 
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(2) 


•  Need  both  push  and  pull  model,  while 
supporting  varied  levels  of  automation 

-  Unified  presentation  engine  (ACIDv2) 

-  Publisher  for  bulk-data  transfer 
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Ongoing  Work 
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•  Intelligent  end-points  that  summarize  instead 
of  sending  all  data 

•  Automated  ways  to  overlay  the  context 
provided  by  vulnerability  and  artifact 
information 

•  Continued  support  for  standards  work 

•  Improved  attention  focusing  techniques  for 
flow  data-to-IDS  and  vice  versa 

•  Improved  approaches  for  integrating  the 
analytical  products  into  operations 
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